b'June 2005\nReport No. 05-022\n\n\nCentral Data Repository Project\nManagement\n\n\n\n\n             AUDIT REPORT\n\x0c                                                                                         Report No. 05-022\n                                                                                                June 2005\n\n\n\n                                        Central Data Repository Project Management\n                                        Results of Audit\n\n                                        The CDR project management has generally adopted project\nBackground and Purpose of               management practices recommended by industry standards.\nAudit                                   However, faced with the challenges of fielding new technology,\n                                        accommodating highly diverse users, and adopting new business\nFinancial institutions regulated by     practices, CDR implementation has been delayed for at least 1\nthe Call Report agencies are required   year. The lack of progress raises concerns as to whether system\nto submit quarterly Consolidated\n                                        functionality as originally envisioned can be attained. The CDR\nReports of Condition and Income,\ncommonly referred to as Call            project management team has reported the delays encountered to\nReports. To improve the regulatory      the Capital Investment Review Committee and has made changes\ncall reporting process, the FDIC, on    in key project management positions, increased oversight, and\nbehalf of the Call Report agencies,     included a penalty for non-performance in the contract with Unisys\nentered into a $39 million contract     to address project progress and performance. Unisys also\nwith Unisys Corporation for the         identified a need to improve communication between the FDIC\ncentral data repository (CDR)           project teams and the contractor in resolving disagreements on\nsystem. The contract consists of a      requirements and to provide additional resources for the project.\nphased approach for implementing\nthe new call reporting process.         However, the CDR project team has not updated the risk\nAmong other benefits, the CDR\n                                        management and contingency plans to address the risks posed by:\nsystem (1) would provide data to the\nindustry more quickly in a manner\nthat allows more flexibility for data   \xe2\x80\xa2   pending change requests related to significant functionalities;\nanalysis and (2) would increase         \xe2\x80\xa2   requirements to be met after, rather than upon, system\nefficiencies, resulting in a cost              delivery;\nsavings of $27 million over the         \xe2\x80\xa2   secondary options for system functionalities that, if not\n10-year life of the contract. The           exercised or developed, substantially decrease the expected\ncontract was modified in January            benefits, and\n2005 to address industry feedback\n                                        \xe2\x80\xa2   continued delays in meeting milestones.\nand allow more time for system\ntesting and enrollment. The\nmodification revised the system         Recommendations and Management Response\ndeployment date from October 2004\nto September 2005.                      The report recommends that the FDIC:\n\nThe CDR Steering Committee was          \xe2\x80\xa2   Determine the cost, schedule, and benefits impact of the\nestablished to oversee the system           change requests, delayed requirements, and secondary options\ndevelopment effort and includes             before the system delivery date.\nrepresentatives from the Federal\n                                        \xe2\x80\xa2   Revise the risk management plan to address post-delivery\nReserve Board, the Office of the\nComptroller of the Currency, and the\n                                            requirements.\nFDIC.                                   \xe2\x80\xa2   Update the contingency plan to reflect the revised project\n                                            schedule and available options if the September 2005 delivery\nThe audit objective was to determine        date is not met.\nwhether CDR project management\nwas adequate.                           FDIC management agreed with the recommendations and has\n                                        taken or planned actions to address them.\n\n To view the full report, go to\n www.fdicig.gov/2005reports.asp\n\x0c                              TABLE OF CONTENTS\n\nBACKGROUND                                                         2\n\nRESULTS OF AUDIT                                                   4\n\nRISK MANAGEMENT AND CONTINGENCY PLANNING                           6\n  Risk Management Guidance                                         6\n  Impact of System Status on Cost, Schedule, and Benefits          6\n  Change Requests                                                  7\n  Delayed Functionalities                                          9\n  Secondary Options for System Functionalities                     9\n  Schedule Slippages                                              10\n\nRECOMMENDATIONS                                                   10\n\nCORPORATION COMMENTS AND OIG EVALUATION                           11\n\nAPPENDIX I: OBJECTIVE, SCOPE, AND METHODOLOGY                     13\n\nAPPENDIX II: CDR CHANGE CONTROL PROCESS                           16\n\nAPPENDIX III: DELAYED FUNCTIONALITIES AND SECONDARY OPTIONS       17\n\nAPPENDIX IV: SEVERE DEFECTS IDENTIFIED IN MARCH 22, 2005 UNISYS   18\nTROUBLE REPORT\n\nAPPENDIX V: DETERMINATION OF RISK                                 19\n\nAPPENDIX VI: CORPORATION COMMENTS                                 20\n\nAPPENDIX VII: MANAGEMENT RESPONSE TO RECOMMENDATIONS              23\n\nTABLES\n\nTable 1: CDR Project Schedule of Key Tasks                        4\nTable 2: Risk Areas That Could Affect the CDR Project             5\nTable 3: Change Requests With a High Impact on the CDR Project    7\n\x0cFederal Deposit Insurance Corporation                                                                  Office of Audits\n801 17th Street NW, Washington, DC 20434                                                  Office of Inspector General\n\n\n\nDATE:                                  June 15, 2005\n\nMEMORANDUM TO:                         Steven O. App\n                                       Deputy to the Chairman and Chief Financial Officer\n\n                                       Michael E. Bartell\n                                       Chief Information Officer and\n                                       Director, Division of Information Technology\n\n                                       Arthur J. Murton, Director\n                                       Division of Insurance and Research\n\n\n\nFROM:                                  Russell A. Rau [Electronically produced version; original signed by Russell A. Rau]\n                                       Assistant Inspector General for Audits\n\nSUBJECT:                               Central Data Repository Project Management\n                                       (Report No. 05-022)\n\nThis report presents the results of the Federal Deposit Insurance Corporation (FDIC) Office of\nInspector General\xe2\x80\x99s (OIG) audit of the Federal Financial Institutions Examination Council\xe2\x80\x99s\n(FFIEC) project management of the Central Data Repository (CDR) system development. The\nobjective of the audit was to determine whether CDR project management was adequate.\nAppendix I describes in detail our objective, scope, and methodology.\n\nThe FDIC, acting in its corporate capacity on behalf of the FFIEC Call Report agencies,1 entered\ninto a contract with Unisys Corporation for the design, development, testing, implementation,\nhosting, and maintenance of the CDR system to improve the regulatory call reporting process.\nThe contract consists of a phased approach for implementing a new call reporting process and\nUniform Bank Performance Reporting (UBPR) and banking information distribution processes.\nThe FDIC planned to fully implement the call reporting process for financial institution use in\nsubmitting the quarterly Call Reports due by September 30, 2004. The contract was modified on\nJanuary 21, 2005 to address industry feedback and allow more time for system testing and\nenrollment. The modification revised the system deployment date from October 2004 to\nSeptember 2005.\n\n\n\n\n1\n The Call Report agencies include the FDIC, the Office of the Comptroller of the Currency (OCC), and the Federal\nReserve Board (FRB). Financial institutions regulated by the Call Report agencies are required to submit quarterly\nConsolidated Reports of Condition and Income, commonly referred to as Call Reports.\n\x0cBACKGROUND\n\nThe information in the new CDR system would be relied on as the official source of Call Report\ninformation by the federal and state bank regulatory agencies, reporting banks and their service\nproviders, and external users of Call Report data. The FDIC\xe2\x80\x99s Division of Insurance and\nResearch (DIR), acting as the CDR program sponsor on behalf of the FFIEC, asked the FDIC\xe2\x80\x99s\nBoard of Directors to approve up to $44 million (including $4.9 million for contingencies) in\nfunding for the CDR system. The funding request was based on a cost-benefit analysis that\nanticipated the following benefits:\n\n    \xe2\x80\xa2   The new process would introduce a new protocol for reporting financial information \xe2\x80\x93\n        Extensible Business Reporting Language (XBRL) \xe2\x80\x93 offering opportunities for reduced\n        reporting costs and more efficient operations for both the regulatory agencies and the\n        banking industry.\n    \xe2\x80\xa2   The new process would eliminate 10 business days from the current processing\n        timeframe and would set the stage for \xe2\x80\x9creal time\xe2\x80\x9d data.\n    \xe2\x80\xa2   The new system would be both scalable and extensible to allow for new analysis and\n        products.\n    \xe2\x80\xa2   Data would be provided to the industry more quickly in formats and with tools that allow\n        users more flexibility for data analysis.\n    \xe2\x80\xa2   The new process would increase efficiencies, resulting in a cost savings of $27 million\n        over the 10-year life of the contract.\n\nThe Call Report agencies entered into a memorandum of understanding to share in the costs of\ndeveloping and maintaining the system. The FDIC is funding 80 percent of the project. The\nFDIC\xe2\x80\x99s Board of Directors approved the funding request, and a contract was awarded to the\nUnisys Corporation on May 23, 2003. The contract included the following fixed-price\ndeliverables:\n\n        Development and implementation of CDR primary requirements           $11,473,244\n        Primary requirements hosting and maintenance (years 2-7)              16,630,661\n        Secondary requirements for system functionalities                      2,080,216\n        Secondary requirements for hosting and maintenance (years 2-7)            74,897\n        3 option years for data processing services and maintenance            8,761,580\n         Total                                                               $39,020,598\n\nOn October 24, 2003, the FDIC issued change order no. 1 for the development and\nimplementation of a meta-data management tool for the CDR system. The tool processes the\ndata from the financial institutions for use in the CDR using a set of computer instructions that\ninclude dictionaries, reporting forms, taxonomies, business rules, reporting instructions, data\nvalidation criteria, system specifications, and data access rules. These instructions are referred to\nas meta-data. The change order increased the contract cost by $840,000.\n\nProject Management and Oversight\n\nThe FDIC has adopted the industry standards included in the Project Management Institute\xe2\x80\x99s\nA Guide to the Project Management Body of Knowledge (PMBOK\xc2\xae Guide) and the International\n\n                                                  2\n\x0cBusiness Machines\xe2\x80\x99 (IBM) Rational Unified Process (RUP\xc2\xae) as the methodology for system\ndevelopment. Both the PMBOK\xc2\xae Guide and RUP\xc2\xae emphasize the importance of project\nmanagement throughout a system\xe2\x80\x99s development life cycle. The PMBOK\xc2\xae Guide describes a set\nof generally accepted practices for managing all types of projects, including software\ndevelopment projects. The guide defines project management as the application of knowledge,\nskills, tools, and techniques to project activities to meet project requirements. RUP\xc2\xae is a\nsoftware engineering process that describes who does what, when, and how for a software\ndevelopment and deployment project. RUP\xc2\xae organizes such projects with an iterative approach\nthat addresses risk early and continuously.\n\nThe FFIEC Task Force on Reports was established to develop interagency uniformity in the\nreporting of periodic information that is needed for effective supervision and other public policy\npurposes. To this end, the Task Force began to develop a new Internet-based business model for\nprocessing the quarterly Call Reports. The Call Report agencies have taken a collaborative\napproach in overseeing the development, implementation, and ongoing operation of the CDR\nsystem and other supporting activities that promote the modernization of Call Report data\nmanagement. Each agency provides specialized expertise and resources to facilitate the\nimplementation of the new Call Report business process. The CDR Steering Committee,\ncomposed of senior executives from each Call Report agency, is responsible for monitoring CDR\nsystem progress; providing feedback on the performance of the CDR project and oversight\nmanagers to their respective supervisors; resolving business, operational, and policy issues\nrelated to the development and operation of the system; and reviewing and approving the CDR\nbusiness continuity plan. The FDIC\xe2\x80\x99s Deputy Director, DIR, and the Deputy Director, Division\nof Information Technology (DIT), are members of the Steering Committee.\n\nThe FFIEC project management team consists of representatives from each of the Call Report\nagencies. The FFIEC appointed the project manager and contract oversight manager who\nprovide day-to-day project management and have primary interactions with the CDR system\ncontractor. The project manager reports to the CDR Steering Committee. The oversight\nmanager is responsible for contract oversight, including the review and approval of contract\ndeliverables. The project manager and contract oversight manager are DIR and DIT officials,\nrespectively.\n\nTo address changes in the CDR functional requirements, the FFIEC established a Change\nControl Board (CCB) to implement the CDR system change control process. The CCB members\ninclude the contract oversight manager (the CCB Chairman), the CDR project manager, the CDR\nSteering Committee Chairman (from the FRB), a representative from the OCC, and the Unisys\nproject manager. All project change requests must be approved by the CCB Chairman and the\nUnisys program manager. However, if a change request has an impact on the cost or schedule of\nthe CDR project, the CCB, CDR Steering Committee, FFIEC Task Force on Reports, and\ncontracting officer must approve the change request. The change control process is depicted in\nAppendix II.\n\nThe CDR project is also monitored by the FDIC\xe2\x80\x99s Capital Investment Review Committee\n(CIRC), which is responsible for overseeing the capital investment portfolio of the FDIC. The\nCIRC reviews and approves the Corporation\xe2\x80\x99s capital investment projects and monitors the cost,\n\n\n                                                3\n\x0cschedule, and performance of the projects. The CIRC makes final funding recommendations to\nthe FDIC Board of Directors and provides the Board with quarterly assessments of the capital\ninvestment portfolio. Finally, the CIRC is responsible for approving all disbursements from a\nproject\xe2\x80\x99s contingency reserve.\n\nUnisys project management responsibilities consist of program and project oversight,\nsubcontractor management, financial oversight, and technical oversight, including subject matter\nexperts. Unisys developed its own risk management plan and reports weekly to the FFIEC\ncontract oversight manager and project manager. Unisys also maintains the project plan that\ntracks project milestones and deliverables.\n\nProject Status\n\nThe CDR system was originally planned to be deployed by September 2004. However, on\nJanuary 21, 2005, the FDIC and UNISYS executed a contract modification reflecting a new\nplanned deployment date of September 2005. In a January 28, 2005 FDIC press release, the Call\nReport agencies announced a new implementation plan for the CDR. According to the press\nrelease, banks would not be required to submit Call Report data to the CDR until October 2005.\nThe release further stated that rollout of the CDR was postponed to address industry feedback\nand allow more time for system testing and enrollment.\n\nThe delays in development and testing have continued to occur. Some tests, such as use case\nfunctionality testing, had been initially completed, but the defects identified during testing have\nnot been corrected. In addition, other critical tests such as the full system testing (end-to-end\ntesting) and security certification and accreditation have not yet been performed. Completing\nsystem development and testing within the revised milestone dates is critical to the ability to\ndeliver the CDR project by September 30, 2005. Table 1 shows the original and revised\nmilestones of three key tasks that need to be completed.\n\nTable 1: CDR Project Schedule of Key Tasks\n                 Key Milestones                  Original Planned       Revised         Delay\n                                                 Completion Date        Planned\n                                                                      Completion\n                                                                          Date\n CDR End-to-End Test Report and Acceptance           08/06/04        07/01/05        11 months\n Rollout Pilot Program                               09/22/04        09/09/05        12 months\n System Launch                                       10/01/04        10/01/05        12 months\n\n\nRESULTS OF AUDIT\n\nThe CDR project management team has established adequate project management controls in\naccordance with practices recommended by the PMBOK\xc2\xae Guide and RUP.\xc2\xae However, the CDR\nproject has been faced with both management and technical challenges associated with fielding\nnew technology across multiple platforms, highly diverse users, and adopting new business\npractices associated with the call reporting process. The project team has been unable to\novercome the challenges, and implementation of the CDR system has been delayed for at least\n\n                                                 4\n\x0c1 year. This lack of progress raises concerns as to whether system functionality as originally\nenvisioned can be attained.\n\nThe CDR project management team has reported the delays encountered to the CIRC and has\ntaken several actions to address project progress and performance. For example, the team has\nmade changes in key project management positions, increased oversight and reporting\nrequirements, and modified the contract with Unisys to include a penalty for non-performance.\nIn addition, Unisys has performed an internal review of the project to evaluate progress and\nperformance. The internal review identified a need for improved communication between the\nproject team and Unisys to resolve disagreements about system requirements and additional\nUnisys resources for the project.\n\nHowever, the CDR project team has not updated the risk management and contingency plans to\naddress the risks posed by:\n\n      \xe2\x80\xa2    pending change requests related to significant system functions;\n      \xe2\x80\xa2    system requirements that will be met after, rather than upon, system delivery;\n      \xe2\x80\xa2    secondary options for system functionalities that, if not exercised, substantially decrease\n           the system\xe2\x80\x99s expected benefits and effectiveness; and\n      \xe2\x80\xa2    continued delays in meeting milestones.\n\nTable 2 identifies the potential impact of the risk areas on the success of the CDR project. We\nadapted the CDR project team\xe2\x80\x99s methodology to determine the risk levels. See Appendix V for a\nmore detailed description of this methodology.\n\nTable 2: Risk Areas That Could Affect the CDR Project\n     Risk Area                Description                                             Impacta       Risk Level\n                                                                                      C S B\n     Change Requests              \xe2\x80\xa2   Update the project management plan to reflect   X    X    X   High\n                                      current contract requirements.\n                                  \xe2\x80\xa2   Enhance the meta-data management capability     X         X\n                                      to import external edits.\n                                  \xe2\x80\xa2   Provide ad hoc query capability.                X         X\n                                  \xe2\x80\xa2   Provide the FDIC access to business rules.           X    X\n                                  \xe2\x80\xa2   Implement meta-data versioning.                 X         X\n                                  \xe2\x80\xa2   Correct data edit design.                       X         X\n     Delayed System               \xe2\x80\xa2   Current design functionalities delayed until              X   Moderate\n     Functionalities                  after CDR system delivery date.\n     Secondary Options Not        \xe2\x80\xa2   Online Analytical Processing (OLAP) tool,b                X   High\n     Exercised                        UBPR, Call Report Facsimiles, and\n                                      E-Commerce Facility.\n     Schedule Slippages           \xe2\x80\xa2   Schedule slippages in the September 30, 2005    X    X    X   High\n                                      delivery date schedule.\n a\n     C-Cost, S-Schedule, B-Benefits.\n b\n     The OLAP tool option was exercised at the time the contract was awarded, but development work has not been\n     completed. These options are discussed in detail on page 9 of this report.\n\n\n\n\n                                                         5\n\x0cWithout adequate risk management and contingency planning, the CDR project costs could\nexceed the current budget, additional system development delays may occur, and anticipated\nbenefits may not be realized.\n\nRISK MANAGEMENT AND CONTINGENCY PLANNING\n\nThe pending change requests, delayed system functionalities, unexercised secondary options, and\ncontinued schedule slippages could significantly impact the cost, schedule, and benefits of the\nCDR project. The CDR project management team has not adequately addressed these risks in its\nrisk management plan and contingency plan. As a result, the CDR project team may not be able\nto properly identify and mitigate the risks should they materialize.\n\nRisk Management Guidance\n\nThe PMBOK\xc2\xae Guide encourages the use of risk management techniques to identify, analyze, and\nplan for new risks, track identified risks, continually reassess existing risks, monitor residual\nrisks, and review the execution of risk responses while evaluating the effectiveness of those\nresponses. The objectives of project risk management are to increase the probability and impact\nof positive events and decrease the probability and impact of adverse events on the project. The\nPMBOK\xc2\xae Guide highlights the relationship between identified risks and potential corrective\nactions, including contingency plans. The contingency plan is triggered when the risks identified\nduring the risk management process are realized.\n\nImpact of System Status on Cost, Schedule, and Benefits\n\nThe CDR project management team developed a risk management plan and a contingency plan\nfor the purpose of addressing development risks.\n\n\xe2\x80\xa2   The risk management plan provides strategies for identifying, minimizing, and responding to\n    risks. The plan identifies risk areas that are rated significant, moderate, or minimal based on\n    the potential impact of the risk and the likelihood the risk will occur. The risk ratings are\n    intended to be reevaluated monthly and changed as circumstances dictate. The risk\n    management plan also includes the risk mitigation plan, which is used to address risks\n    determined to be significant. The risk mitigation plan includes risk details, assignment of\n    responsibilities, mitigation strategies, and contingency plans in the event the risks\n    materialize.\n\n\xe2\x80\xa2   The contingency plan identifies proposed actions that could be taken at key points in the\n    system development life cycle if the system\xe2\x80\x99s test results are less than satisfactory. In the\n    early stages of system development, the proposed actions for unacceptable test results rely\n    heavily on applying additional resources to correct defects and retest. For later development\n    stages, other actions are considered such as partial or delayed implementation of the CDR\n    system.\n\nThe CDR project management team has not determined the impact on cost, schedule, and\nbenefits of (1) several key change requests, (2) the delayed implementation of some system\n\n\n                                                 6\n\x0cfunctionalities, and (3) unexercised secondary options for functionalities and has not updated the\nrisk management plan and contingency plan accordingly. Although the contingency plan states\nthat the risk management team and the CDR Steering Committee should re-assess the plan in\nlight of ongoing project events and revise the plan as necessary, the plan has not been updated\nsince June 2004. The contingency plan is based on a September 30, 2004 CDR system delivery\ndate and relies heavily on adding contractor resources and extending the use of legacy systems in\nthe event that the CDR system is not delivered on time. Recently, during the April 21, 2005\nSteering Committee conference call, the possibility of extending the current contract for Call\nReport processing in the event the new system is not delivered on September 30, 2005 was\ndiscussed. However, the contingency plan does not consider possible steps to protect the\nFFIEC\xe2\x80\x99s interest and investment in the event that the development effort is no longer viable or\nthe contract has to be terminated. The need for an updated contingency plan to reflect that\npossibility is evidenced by the continued slippage in the CDR system development milestones,\nseveral of which were illustrated earlier in this report.\n\nChange Requests\n\nThe CCB had not evaluated or approved 23 of 32 change requests submitted through April 22,\n2005. The FFIEC project manager, a member of the CCB, stated that the project team had not\naggressively pursued completing certain change orders because the priority was to have an\noperational CDR system in place by October 1, 2005. As shown in Table 3, several of the\nchange requests relate to system functionalities that have a high impact on the CDR and could\nresult in a substantial cost increase in project development and maintenance over the life of the\ncontract.\n\nTable 3: Change Requests With a High Impact on the CDR Project\n    Change               Description                     Impact on the CDR System\n  Request Not\n Yet Evaluated\n or Approved\nNo. 6             Update of the project        Cost and Schedule: The project management\n                  management plan for          plan describes the work performed and the\n                  consistency with current     schedule for each task and deliverable, project\n                  contract requirements.       team organization and responsibilities of key\n                                               personnel, risk management approach,\n                                               communications plan, project status reporting,\n                                               contract deliverables, and related reference\n                                               material. Without an updated plan, resources\n                                               may not be adequately allocated to ensure that\n                                               project deliverables are completed on time and\n                                               within budget.\n\n\n\n\n                                                 7\n\x0c    Change               Description                        Impact on the CDR System\n  Request Not\n Yet Evaluated\n or Approved\nNo. 10           Enhancement to provide the       Cost: Without the enhancement, additional time\n                 capability to import             will be required to enter external edits one at a\n                 external edits that have         time.\n                 been developed outside the\n                 CDR system by the FFIEC\n                 user community. (This\n                 requirement is to be\n                 developed after CDR\n                 system delivery.)\n\nNo. 13           An ad hoc query capability.      Functionality, Schedule, and Cost: Without the\n                                                  ad hoc query capability, the FFIEC members\n                                                  may not be able to extract and analyze data as\n                                                  part of their job functions.\n\nNo. 20           Functionality to provide the     Functionality and Schedule: Without this access,\n                 FDIC access to the CDR           the FDIC and OCC cannot maintain up-to-date\n                 meta-data.                       corresponding databases to support internal\n                                                  information needs.\n\nNo. 21           Meta-data versioning to          Cost: Frequent changes are made to Call Report\n                 provide the FFIEC the            instructions, thereby creating a continuing need\n                 ability to tie a specific Call   for new versions of the meta-data. The cost of\n                 Report to the report             additional meta-data versioning changes could be\n                 instructions in effect at a      substantial over the contract\xe2\x80\x99s 7-year system\n                 given point in time.             maintenance period. This change request is\n                                                  based on contract modification no. 9, which\n                                                  includes revisions to address meta-data\n                                                  versioning for sets of data series in two phases.\n                                                  Versioning for both Phase 1 (pre-\n                                                  implementation) and Phase 2 (post-\n                                                  implementation) will be completed without cost\n                                                  according to modification 9. Although, this\n                                                  change request was approved on April 21, 2005,\n                                                  the cost of meta-data versions for additional data\n                                                  series was not addressed. The CDR project team\n                                                  does anticipate there will be a future need for\n                                                  more meta-data versions.\n\nNo. 22           Design flaw correction that      Functionality, Schedule, and Cost: If the design\n                 is scheduled after the CDR       flaw is not corrected, a substantial amount of\n                 system delivery date.            time would be required to process Call Reports.\n\nThe impact of these change requests should be determined prior to system implementation so\nthat the CDR project team can mitigate the risk of implementing a CDR system that does not\nhave the functionalities originally envisioned and is not cost-beneficial.\n\n                                                    8\n\x0cDelayed Functionalities\n\nAs part of the January 21, 2005 contract modification, the FFIEC agreed to accept the delivery of\nthe CDR system with some functionality that would be delayed until after September 30, 2005\n(see Appendix III for a description of these functionalities). For example, for the Micro Data\nReference Manual (MDRM)2 will be implemented in two phases. During Phase I, the first\nversion of MDRM will be provided by September 30, 2005. An update to MDRM will be\nprovided in Phase II after the system delivery date. Another delayed functionality is system\nextensibility \xe2\x80\x93 adding new capabilities. The requirements documentation for extensibility will be\ncompleted by the project delivery date, and the actual work to develop this functionality will\noccur after the delivery date. The delayed functionalities should not impact the contract cost or\ncurrent delivery schedule. However, if the functionalities are not implemented in a timely\nmanner, they could impact the anticipated benefits of improved efficiencies and extensibility\nover the 7-year maintenance period of the contract.\n\nSecondary Options for System Functionalities\n\nSecondary options for system functionalities were provided for in the CDR system contract and\ncan be unilaterally exercised by the FFIEC within 6 months after delivery of the CDR system.\nThe options consist of system functionalities that are not directly related to processing Call\nReports but are critical to realizing the anticipated monetary benefits and functionality of the\nCDR. The secondary options include the following functionalities:\n\n    \xe2\x80\xa2   OLAP \xe2\x80\x93 Enables the Call Report analysts and CDR managers to generate their own\n        reports through queries of the CDR database through a Web-browser interface.\n\n    \xe2\x80\xa2   UBPR data \xe2\x80\x93 Provides financial data ratios and rankings for use by the Call Report\n        agencies, financial institutions, and the public through a Web-site.\n\n    \xe2\x80\xa2   Call Report facsimiles \xe2\x80\x93 Make available the non-confidential Call Report data through a\n        public Web-site on a bank-by-bank basis.\n\n    \xe2\x80\xa2   E-Commerce Facility \xe2\x80\x93 Allows the public to purchase Call Report data and would\n        provide for credit card payments and user accounts. Proceeds from this facility would be\n        transferred to the FFIEC Call Report agencies.\n\nAccording to the FFIEC cost-benefit analysis used to approve the CDR funding, these\nfunctionalities provide quicker industry access to non-confidential data; allow more user\nflexibility for data analysis; and provide increased efficiencies. In particular, should the FFIEC\nnot exercise the UBPR option, the estimated cost savings reflected in the cost-benefit analysis\nwould decrease from $27 million to only $2.7 million. Exercising the secondary options should\nnot impact the contract cost or the current delivery schedule because the funding for the\n\n\n2\n MDRM is the Federal Reserve System\xe2\x80\x99s dictionary that contains definitions, non-financial information, and\nannotations regarding historical and other information. The MDRM includes, for example, a data name for each\nentry, a discussion of what to include and exclude in the data, and substitute instructions.\n\n                                                       9\n\x0csecondary options was included in the project budget approved by the FDIC\xe2\x80\x99s Board of\nDirectors.\n\nSchedule Slippages\n\nThe completion of some key functional tests has slipped since the contract was modified on\nJanuary 21, 2005. In addition, as of March 22, 2005, system defects that need to be addressed\nbefore the CDR system can be delivered have not yet been resolved. The Unisys \xe2\x80\x9ctrouble\nreport,\xe2\x80\x9d completed on March 22, 2005, identified 13 severe functionality defects (see\nAppendix IV for a description of these defects) that required the test team to stop testing the\nfunctions and 45 major defects in functions that substantially did not meet the system\nrequirements. As a result, there is a risk that the planned implementation date of September 30,\n2005 will not be met. If the CDR system is not deployed by that date, implementation will be\ndelayed until March 31, 2006. The March 2006 implementation date is based on management\xe2\x80\x99s\ndecision not to institute a new call reporting process when financial institutions are fulfilling\n2005 year-end closing and reporting requirements.\n\nThe contingency plan identifies the following needed actions if implementation is delayed:\n\n   \xe2\x80\xa2   the FFIEC Call Report agencies will need to provide additional staff resources to the\n       CDR system development effort and maintain the current Call Report processing\n       operations;\n\n   \xe2\x80\xa2   the contract with Unisys may need to be modified;\n\n   \xe2\x80\xa2   the contract with the current Call Report processing contractor will need to be extended;\n       and\n\n   \xe2\x80\xa2   the financial institutions and software vendors will need to be notified of the revised CDR\n       system delivery schedule.\n\nThese actions, which are based on a 2004 system implementation schedule, may no longer be\nviable. In addition, the difficulties in completing system functionality tests and addressing all\nsystem requirements by the delivery date may be indicative of a need for further analysis. These\nchallenges could require much more time or cost to overcome than anticipated, and the project\nmay no longer be considered cost-beneficial. Accordingly, the revision of the contingency plan\nbased on the current status should include, among other alternatives, project termination if the\nSeptember 30, 2005 implementation cannot be met.\n\nRECOMMENDATIONS\n\nWe recommend that the Director, DIR, require that the CDR project management team maintain\ncurrent and complete risk management and contingency plans. Specifically:\n\n   (1) The CDR project management team should promptly determine the cost, schedule, and\n       benefits impact of the change requests, delayed implementation of some functionalities,\n\n\n                                               10\n\x0c       and secondary options for functionalities. The change requests should be approved in\n       accordance with the CDR change control process. These determinations should be made\n       before the FFIEC accepts delivery of the CDR system.\n\n   (2) The risk management and mitigation plan should be updated to address the CDR system\n       post-delivery requirements and functionalities.\n\n   (3) The contingency plan should be updated and approved by the CDR Steering Committee\n       to reflect the revised project schedule, including the post-delivery requirements and\n       secondary options. The plan should also address available alternatives, including project\n       termination, if the September 30, 2005 CDR system delivery date cannot be met.\n\n\nCORPORATION COMMENTS AND OIG EVALUATION\n\nOn June 9, 2005, DIR provided a written response to the draft report, which is presented in its\nentirety in Appendix VI of this report. DIR concurred with the recommendations and described\nthe planned corrective actions to address them. Management\xe2\x80\x99s response to each\nrecommendation is summarized below, along with our evaluation of the response.\n\nDIR concurred with recommendation 1. DIR planned to first prioritize the change requests. The\nCDR project team has asked the contractor to provide schedule and cost estimates for change\nrequests that are critical to complete before system implementation. In addition, the CDR project\nmanager established a Test Review Board (TRB) in April 2005 to review new change requests\nand other issues arising from FFIEC testing of the CDR. The TRB completed an evaluation of\nall outstanding change requests to validate their prioritization and is scheduled to notify the\ncontractor, by June 15, 2005, regarding which change requests will be required prior to\nimplementation.\n\nAfter the contractor addresses all the change requests necessary for system implementation, the\ncontractor will also be directed to provide cost and schedule information for the change requests\nthat can be addressed after CDR implementation. DIR also noted that the contract does not\ncurrently require the contractor to provide schedule and cost estimates on all outstanding change\nrequests prior to system implementation.\n\nDIR indicated that the FDIC intends to hold the contractor responsible for any system\nfunctionalities or change requests that are implemented after the CDR is delivered and are\ndetermined to be within the scope of the contract at no additional cost. In cases where\ncompletion of a change request is postponed until after system implementation, the Contracting\nOfficer will likely conditionally accept the CDR but withhold a portion of the payment on the\nfinal deliverable if the change request is within the original contract scope. Any deferment of\nfunctionality past initial implementation will be formalized in a contract modification. Change\nrequests that require FFIEC payments above the firm fixed price will be formalized in a contract\nmodification and will be subject to the approval processes both within the FDIC and at the\nFFIEC. DIR also noted that the FFIEC has until March 31, 2006 to exercise any desired\nsecondary options. Prior to exercising secondary options, the FFIEC will consider all\n\n\n                                               11\n\x0cappropriate information, including contractor performance, changing priorities within the FFIEC,\nand alternative approaches for achieving the results envisioned by the secondary options.\n\nManagement\xe2\x80\x99s planned actions are responsive to the recommendation. The recommendation is\nresolved but will remain undispositioned and open until we have determined that the agreed-to\ncorrective actions have been completed and is effective.\n\nDIR concurred with recommendation 2. The FFIEC risk management plan identifies 23 risks to\nthe project and issues related to the functionalities that will be implemented after September 30,\n2005. To fully monitor the issues and identify any associated risks, the FFIEC Risk Manager\nwill be briefed on the cost and schedule impacts of all change requests that are accepted. This\nwill be an ongoing process through September 15, 2005.\n\nManagement\xe2\x80\x99s planned action is responsive to the recommendation. The recommendation is\nresolved but will remain undispositioned and open until we have determined that agreed-to\ncorrective action has been completed and is effective.\n\nDIR concurred with recommendation 3. The CDR project team will update the contingency plan\nto reflect the revised project schedule and post-implementation functionality. The plan will also\naddress any available alternatives being considered if the risks rise to an unacceptable level. The\nplan will be presented to the CDR Steering Committee for review and approval at its June 16,\n2005 meeting.\n\nManagement\xe2\x80\x99s planned action is responsive to the recommendation. The recommendation is\nresolved but will remain undispositioned and open until we have determined that agreed-to\ncorrective action has been completed and is effective.\n\n\n\n\n                                                12\n\x0c                                                                                   APPENDIX I\n\n                       OBJECTIVE, SCOPE, AND METHODOLOGY\nObjective\n\nThe objective of the audit was to determine whether CDR project management was adequate.\nOur objective included a review of the:\n\n   \xe2\x80\xa2    system development life-cycle controls;\n   \xe2\x80\xa2    cost, schedule, and performance management;\n   \xe2\x80\xa2    procurement and contract oversight;\n   \xe2\x80\xa2    test and evaluation; and\n   \xe2\x80\xa2    system security, including the performance of certification and accreditation in\n        compliance with the standards published by the National Institute of Standards and\n        Technology.\n\nScope\n\nAt the completion of our field work, CDR project development had not progressed to the point at\nwhich all system controls identified in our objectives were fully developed and implemented.\nSpecifically, test plans had not been completed, many key tests identified in the project plan had\nnot yet been performed, key aspects of the security testing had not been completed, and the\ncertification and accreditation process had not yet begun. Therefore, our work focused on\nsystem development controls; cost, schedule, and performance management; and procurement\nand contract oversight.\n\nMethodology\n\nWe performed the following activities during our audit:\n\n   \xe2\x80\xa2    Reviewed the overall project management approach for consistency with PMBOK\xc2\xaeGuide\n        and RUP\xc2\xae standards. This review included the: project management plan, Unisys and\n        FFIEC risk management plans, and project plan schedule to determine if the plans were\n        in use and effective.\n   \xe2\x80\xa2    Reviewed the system development life-cycle approach to project development to\n        determine whether the approach was consistent with development standards.\n   \xe2\x80\xa2    Reviewed and evaluated the processes and controls for managing and tracking project\n        cost, schedule, and performance to assess whether the FFIEC provided adequate\n        oversight of the project.\n   \xe2\x80\xa2    Interviewed key CDR project management staff to identify the causes of development\n        delays and other performance issues and any action taken to address the schedule and\n        performance issues.\n   \xe2\x80\xa2    Reviewed the contract and modification documentation to determine if the contract\n        requirements were met.\n   \xe2\x80\xa2    Reviewed selected system test plans and observed testing to evaluate the overall testing\n        approach.\n\n                                               13\n\x0c                                                                                    APPENDIX I\n\n   \xe2\x80\xa2   Provided feedback to the CDR project team on the penetration test plan.\n   \xe2\x80\xa2   Obtained and reviewed Unisys site visit reports prepared by the FFIEC, the General\n       Services Administration, and the Small Business Administration. The reports identified\n       that Unisys facilities had adequate security. However, because the CDR project was not\n       fully developed or operational, the site reviews could not address project-specific security\n       concerns.\n\nInternal Controls\n\nWe performed an assessment of the internal controls, including the control environment, risk\nassessment, control activities, information and communication, and monitoring related to the\nCDR project management activities for the system development. Generally, the CDR project\nmanagement team established and implemented an adequate structure of management controls.\nHowever, as discussed in the audit report, the risk management and contingency plans need to be\nupdated to reflect the risk associated with post-implementation functionalities and changes, and\nthe risk that the CDR development becomes unacceptable.\n\nFederal Information Security Management Act (FISMA), Title III, Information Security, of\nthe E-Government Act of 2002, P. L. No. 107-347\n\nThis statute, codified at Titles 40 and 44 of the United States Code, provides a comprehensive\nframework for ensuring the effectiveness of information resources that support federal operations\nand assets. The statute also emphasizes the need to provide effective government-wide\nmanagement and oversight of the related information security risks. Portions of the Act apply to\nthe FDIC, and other portions address prudent business practices. The CDR project management\nteam has included FISMA-related concepts in its project management activities. Specifically,\nthe project management team has developed a security plan, assigned security responsibility, and\nincluded plans for periodic review of the security controls and system authorization prior to\noperations.\n\nReliance on Computer-based Data\n\nWe assessed the reliability of the information on project status maintained in the Microsoft\nProject\xc2\xae application, and the information related to problem reporting and resolution tracked in\nthe ClearQuest\xc2\xae application to ensure that computer-processed data were valid and reliable when\nthose data were used during audit field work. We verified selected automated data to source\ndocumentation and corroborated automated data through interviews with appropriate FDIC\npersonnel. We determined that the data were sufficiently reliable for the purposes of this audit.\n\nPerformance Measures\n\nImplementation of the CDR by December 31, 2004 was included in the FDIC 2004 Annual\nPerformance Plan as an indicator and target for addressing the annual performance goal to\n\n\n\n                                               14\n\x0c                                                                                 APPENDIX I\n\nmaintain sufficient and reliable information on insured depository institutions. As discussed in\nthe audit report, the implementation date for the CDR has been revised until September 30, 2005.\n\nOur audit covered the period from contract award in May 2003 through April 2005. We\nperformed our audit at the FDIC\xe2\x80\x99s Washington, D.C., offices from October 2004 through\nApril 2005 in accordance with generally accepted government auditing standards.\n\nPrior Audit Coverage\n\nPrior to this audit, we issued the following reports related to the CDR.\n\n   \xe2\x80\xa2   Audit Report No. 03-018 entitled, Review of FFIEC Call Report Modernization Cost\n       Benefit Analysis, dated March 31, 2003. The report assessed whether the cost\n       information included in the cost-benefit analysis was supported and the assumptions were\n       reasonable.\n\n   \xe2\x80\xa2   Evaluation Report No. 04-014 entitled, XBAT Contracting and Project Management,\n       dated March 26, 2004. The report evaluated the contracting and development of the\n       XBRL Business Analysis Tool (XBAT).\n\n\n\n\n                                                15\n\x0c                                                                                          APPENDIX II\n\n                              CDR CHANGE CONTROL PROCESS\n\n\n\n\n            Submitter                                            CCB                     SC/Task Force/CO\n                               CCB Chair & PMs\n\n\n\n\n           Submit CR                                            Review CR                 Review CR\n                                Review CR\n\n\n\n                                                 No                         Yes                          No\n            Administrative\n              Support            Approved?            Closed   Approved?                    Approved?\n                                                                                                     Closed\n                                                                       No                          Yes\n            Log CR                    Yes\n                                                                Closed\n                                Determine                                                  Additional\n                                Impact                                                     Cost?\n                                                                                   No\n                                                                                                   Yes\n        Schedule CR\n        Review Meeting                                Yes\n\n\n                               Change to                                                FFIEC Task Force\n                               Cost/Schedule                                            on Reports & CO\n                                                                                        Approval?        No\n\n\n         Review CR                          No\n                                                                                           Yes           Closed\n\n\n                              Assign Resources and\n                                                               Issue Task                   Agencies\xe2\x80\x99\n                              Perform Work\n                                                               Order                        Approval?\n                                                                                  Yes\n         Prepare                                                                                    No\n         Decision\n         Summary                  Closed\n                                                                                            Closed\n\n\nCR \xe2\x80\x93 Change Request.\nCCB \xe2\x80\x93 Change Control Board.\nPM \xe2\x80\x93 Project Manager.\nSC \xe2\x80\x93 Steering Committee.\nCO - Contracting Officer.\n\n\n\n\n                                                        16\n\x0c                                                                             APPENDIX III\n\n            DELAYED FUNCTIONALITIES AND SECONDARY OPTIONS\n\n\nDelayed Functionalities\n\n   \xc2\xbe Enhancements to the meta-data management tool for importing edits. In the current\n     design, edits developed outside the CDR system must be entered one at a time. Without\n     this enhancement, additional time will be required to enter external edits.\n\n   \xc2\xbe Ad hoc query capability. Extracts and analyzes any data in the system without\n     restrictions.\n\n   \xc2\xbe FDIC access to meta-data. The FDIC and OCC require this access in order to keep\n     corresponding databases up to date.\n\n   \xc2\xbe Meta-data versioning. Provides the FFIEC the ability to tie a meta-data version to\n     different series of meta-data.\n\n   \xc2\xbe Changes to data edit process. Corrects a flaw in the current CDR design that will\n     require a substantial amount of work to process Call Reports.\n\n   \xc2\xbe Extensibility. The ability to expand system capabilities to accommodate new users and\n     additional requirements.\n\nSecondary Options\n\n   \xc2\xbe OLAP reporting. The OLAP tool is a category of database software that provides an\n     interface so users can transform raw data according to user-defined functions. The\n     benefit of OLAP is the capability to aggregate large amounts of diverse data most\n     commonly used by a group of users for fast retrieval and analysis.\n\n   \xc2\xbe UBPR data processing. UBPRs are an essential output for which the Call Report data is\n     used. Each UBPR is a multi-page report that consists of financial data organized into\n     income and balance sheet, asset quality, capital, and other information. UBPR data is\n     displayed by individual banks, peer groups, and percentile rankings by peer group.\n\n   \xc2\xbe Call Report facsimiles. Would allow the public to obtain non-confidential Call Report\n     facsimiles through a browser-based interface.\n\n   \xc2\xbe E-Commerce facility. Would allow the public to purchase Call Report data through an\n     E-commerce facility.\n\n\n\n\n                                            17\n\x0c                                                                                APPENDIX IV\n\nSEVERE DEFECTS IDENTIFIED IN MARCH 22, 2005 UNISYS TROUBLE REPORT\n\n\n \xc2\xbe Users unable to securely download up to six Call Reports in order to validate that the\n   current Call Report is accurate as required.\n\n \xc2\xbe System is not properly evaluating formulas containing concepts that have non-negative\n   decimal datatypes.\n\n \xc2\xbe Call analysts are not able to adequately retrieve and update reporting cycle status as\n   required.\n\n \xc2\xbe System administrator was able to change report cycle status. This capability should not\n   have been available to the administrator.\n\n \xc2\xbe System displays National Information Center (NIC) attributes at a given point in time\n   rather than for specific reporting cycles.\n\n \xc2\xbe Inability to sort the report cycle list from the drop-down menu. This will make the\n   function increasingly unusable.\n\n \xc2\xbe Screen space requires excessive use of the scroll bar.\n\n \xc2\xbe The meta-data management tool design does not support different derived concept\n   versions for different data series or for different time periods within a data series.\n\n \xc2\xbe Panel of reporters (institutions required to file Call Reports) filter does not appear to\n   allow the user to import script for a new filter for the panel of reporters for a new data\n   series to support extensibility requirements.\n\n \xc2\xbe The NIC attributes need to be fully displayed.\n\n \xc2\xbe Incorrect order in meta-data presentation in one schedule.\n\n \xc2\xbe Value presentations for some items do not meet specifications.\n\n \xc2\xbe Reportability taxonomy extracts data from the long description field rather than the long\n   caption field.\n\n\n\n\n                                             18\n\x0c                                                                                      APPENDIX V\n\n                                 DETERMINATION OF RISK\n\nThe degree of risk associated with any adverse event is dependent on the likelihood that the\nevent will occur and the probable impact of the event. Expressing these two factors in easily\nusable and understandable terms is essential.\n\nThe likelihood of an event occurring is the probability of the event. Precise and accurate\nprobability estimates are nearly impossible to determine. A rating of high, medium, or low is\nassigned to the likelihood of occurrence based on the status and trend of the risk factor.\n\nA designation of catastrophic, critical, marginal, or negligible is assigned in the impact rating.\nThe impact rating is based on the impact of the risk on the stated benefits of the full system\ndevelopment.\n\nUsing the following table developed by the CDR project team and adapted by the OIG, we\ndetermined the overall risk for the individual risk areas.\n\n\n\n                                           Likelihood of Occurrence\n\n       Impact                  High                   Medium                 Low\n\n     Catastrophic              High                    High                Moderate\n\n        Critical               High                   Moderate             Moderate\n\n       Marginal              Moderate                 Moderate               Low\n\n      Negligible               Low                      Low                  Low\n\n Source: CDR Project Team as Adapted by the OIG.\n\n\n\n\n                                                 19\n\x0cAppendix VI\n\x0c     APPENDIX VI\n\n\n\n\n21\n\x0c     APPENDIX VI\n\n\n\n\n22\n\x0c                                                                                                                                                APPENDIX VII\n\n                                                MANAGEMENT RESPONSE TO RECOMMENDATIONS\n\n     This table presents the management response on the recommendations in our report and the status of the recommendations as of the\n     date of report issuance.\n                                                                                                                                                           Open\n      Rec.                                                                     Expected            Monetary       Resolved:a     Dispositioned:b            or\n     Number         Corrective Action: Taken or Planned/Status              Completion Date        Benefits       Yes or No        Yes or No              Closedc\n                   DIR planned to first prioritize the system                March 31, 2006          No              Yes              No                   Open\n           1       change requests based on the need to complete\n                   critical changes before initial system\n                   implementation. Other change requests will be\n                   processed after the critical changes are made.\n23\n\n\n\n\n                   Secondary options will be evaluated before the\n                   March 31, 2006 date for exercising the options.\n                   The issues that relate to functionality                 September 15, 2005          No             Yes               No                  Open\n           2       implemented after September 30, 2005 will be\n                   reported in the risk management plan by\n                   September 15, 2005.\n                   The CDR project team will update the                         June 16, 2005          No             Yes               No                  Open\n           3       contingency plan and present it to the CDR\n                   Steering Committee at its June 16, 2005\n                   meeting.\n     a\n         Resolved \xe2\x80\x93 (1) Management concurs with the recommendation, and the planned corrective action is consistent with the recommendation.\n                    (2) Management does not concur with the recommendation, but planned alternative action is acceptable to the OIG.\n                    (3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount. Monetary benefits are considered resolved as long\n                        as management provides an amount.\n     b\n       Dispositioned \xe2\x80\x93 The agreed-upon corrective action must be implemented, determined to be effective, and the actual amounts of monetary benefits achieved\n     through implementation identified. The OIG is responsible for determining whether the documentation provided by management is adequate to disposition the\n     recommendation.\n     c\n         Once the OIG dispositions the recommendation, it can then be closed.\n\x0c'